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A network system, 



a router and a network setup method 



Field o£ the invention 

[0001] The present invention relates generally to 
the field of electronic data processing and digital 
communications networks, and more particularly to a 
10 network system, a router and a network setup method. 

Description of the Related Art 

[0002] Digital communications networks have 
continued to grow In importance as people have come to 
rely on the electronic exchange of information to support 

15 both business and personal pursuits. Email, the 

electronic transfer of files, and various other services 
are all made possible by the use of digital 
communications networks. The type of digital 
communications network employed often depends on the size 

20 of the network to be implemented as weli as tne needs and 
capabilities of the party or parties implementing the 
network. Hardware cost and network management complexity 
are often a factor when choosing the type of network to 
be implemented. 

25 [0003] Networks limited to a small geographical 

region, e.g. a single office location, are frequently 
called local area networks (LANs) . LANs are often 
privately-owned networks within a building or building 
agglomeration and are widely used to connect personal 

30 computers and workstations at a single location to one 
another and to shared resources such as printers and/or 
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local centralized files storage, in order to be able to 
communicate between the various workstations, printers, 
databases etc* linked together within a LAN, any device 
is assigned a unique address, i.e. a 4 8 -bit Media Access 
5 Control (MAC) address. 

(0004] Computers and other devices located on 
different LANs are often connected with each other via an 
internet- The World Wide .Web or "the" Internet is used to 
connect computers and other devices located at 

10 universities, government offices, businesses and 

individuals together. Routers serve as forwarding devices 
and, optionally, as gateway devices. IP addresses serve 
to identify source and destination devices and to 
determine the appropriate route upon which packets should 

15 be transmitted. Source and destination IP addresses are 

included, along with data, in IP packets used to transmit 
information across the Internet. Every host and router on 
the Internet has an IP address which encodes its IP 
network number and host number. The combination is 

20 unique; no two machines have the same IP address. All IP 
addresses are 32 bits long and are used in the source 
address and destination address fields of IP packets. 

[OOOS] Thus, existing conventional IT system 
environments are server oriented with each server having 

25 one unique IP address. A server is a computer which 
provides service (s) for other computers (clients) 
connected to the server via a network. All services being 
run on such a server can communicate with the outside 
world via this address. Each service on the server is 

3 0 assigned a unique port number and can be addressed 

unambiguously with a combination of IP address and port 
number. For example, if the IP address of a server is 
10.10.10.100 and the port number of a given service on 
this server, is. SO, the combination would be 

35 10.10.10.100:30. 
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[0006] In a modern system environment, the servers 
are booted via PXK/BOOTP/TFTP (Portable Execution 
Environment/Bootstrap Protocol /Trivial File Transfer 
Protocol) in the LAN and are assigned a unique IP address 
5 via DHCP (Dynamic Host Configuration Protocol), their 
"physical IP n . Each service started on a server also is 
assigned its own "virtual IP" address. This allows that 
services are run independently from the machines f i.e. 
the services can actually be run on any server without 

10 the need for the client to change the configuration. E.g. 
a client accesses a service always at 10.10.10.10, which 
can be run on the server 10.10.1.2 or any other server in 
this LAN. The physical IP of the server running the 
service is not known and does not need to be known" by the 

15 client. To the outside world, such a system environment 
appears as a closed unity which offers its services to 
outside users with only little configuration effort. 

[0007 J As already outlined above server in 
traditional system environments are typically located in 

20 a own network segment which is called the server LAN- The 
server LAN is connected to the corporate LAN via a 
router. Access to the server LAN is regulated by means of 
access lists which for example block port ranges or IP 
ranges. Figure 1 shows a traditional system environment 

25 with same IP address ranges (in the following also 

designated as "IP ranges" ) , comprising a server LAN 112 
which is connected to a corporate LAN or WAN 114 via a 
router 116 . Access lists which are administrated in the 
router 11 S form the basis for allowing or blocking 

30 connnections . In the example illustrated in Figure 1, a 
client with the IP address 10.20.30.40 could for example 
access a service with IP port range 10.10,10*100:80, but 
not a service with IP port range 10.10.10.100:23. 

[0008] In more modern system environments, the 
35 servers are also located in an own network segment 
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(server LAN) which is connected to the coiporate LAN via 
an application level gateway. A gateway is a device which 
interconnects networks with different incompatible 
communications protocols comprising a protocol conversion 
5 to translate one set of protocols into another set. In 
such an environment, the server LAN has to be run in an 
autarkic manner. To achieve this, the server LAN has its 
own IP range and the routing between the corporate LAN 
and the server LAN is not activated as any moving of the 

10 system environment would either require a total change of 
all the routing tables in the corporate LAN or a complete 
change to the IP configuration of the server LAN. 
Therefore, the gateway computer is assigned to one or 
more IP addresses within the IP range of the corporate 

15 LAN through which the services are available, 

[0009] Figure 2 illustrates an example of a network 
setup with separate IP ranges as known from the prior 
art. In this known setup, a server LAN 212 is again 
connected to a corporate LAN or WAN 214, this time via a 

20 gateway system comprising a so-called proxy server 216 . A 
proxy server (or proxy) is an entity which is commonly 
established on a LAN where it is located between a client 
and the "real" server. All requests of the client are 
then made through the proxy which in turn makes requests 

25 from the "real" server and passes the result back to the 
client. Sometimes the proxy stores the result and give a 
stored result instead of making a new one (in order to 
reduce use of a network) . 

[0010] Referring again to Figure 2, in case of a 
30 client query the proxy 216 is indicated as a sender side 
intermediate station for reaching the desired service. 
The protocols used by the services run on the server LAN 
therefore have to be suitable for. a proxy use. The 
gateway system further comprises, a forwarding rule table 
3 5" 21£ which ml 1 ovjs the. so-called: forwarding. Thi* msans 
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that a given combination of IP address and port number 
(e.g, 10.10. 10-100:80) of the corporate LAN is being 
assigned to a given combination of IP address and port 
number (e.g. 192,168.10.100:80) of the server LAN. As a 
5 result, that path of the connection is fixedly configured 
in the gateway and not in the client; A disadvantage of 
this network setup is that it has to be known for every 
protocol used by a service which type of connection the 
given protocol uses. Protocols which are able to build up 

10 a second connection path (for example a backward channel 
like FTP (Pile Transfer Protocol) does) on their own may 
not be linked in via the so-called forwarding. The only 
possible transport protocol for forwarding is the stream 
type protocol TCP (Transmission Control Protocol) . Bi- 

15 directional communication via package type communication 
protocols such as UDP (User Datagram Protocol) or IGMP 
{Internet Group Management Protocol) are not possible. 

[0011] Figure 3 finally shows a further network 
Setup as known from the prior art in which a server LAN 

2 0 312 is connected to a corporate LAN or WAN 314 via a so- 

called Network Address Translation (NAT) service 316. NAT 
is an improvement of the forwarding service as described 
above and has the advantage of allowing the use of 
package type protocols like UDP and IGMP. In NAT, the 

25 gateway internally holds a module with link tables for 

every communication protocol type. This allows setting up 
a back connection from the server LAN into the corporate 
LAN in case the communication protocol is known and 
implemented into the module. However, there is the 

30 disadvantage that not all protocol implementations are 

known and implemented in such modules, so they cannot be 
used with NAT. 

[0012] As IP addresses are limited resources, the 
problem is to provide a network setup which allows a 

3 5 flexible assignment of addresses to access services run 



n mo 



18-SEF-2003 19:10 



HtteSLE KUDLEK & PRKTNER 



+49 711 24839525 



- 6 - 

on a server without having to implement extensive access 
lists or forwarding rules. 

Summary of the Invention 

[0013] It is therefore an object of the invention to 
5 provide a network system, a router and a network setup 

method within improved accessing mechanisms for services. 
This object is achieved by proposing a network system 
with the features of claim 1, a router with the features 
of claim 6 and a network setup method with the features 
10 of claim 9, 

[0014] According to the invention, a computer 
network system comprises a plurality of client hardware 
elements forming a computer network such as a Local Area 
Network LAN or Wide Area Network WAN or any other type of 

15 computer network, and a server network segment. The 
server network segment is interconnected with the 
computer network by means of a router. A router is a 
well-known device to the person skilled in the art which 
serves to forward packets between networks. The 

20 forwarding decision of the router is based on network 
layer information and/or routing tables (often 
constructed by routing protocols) . In the invention, the 
computer network is assigned a first access address 
range, and said server network segment is assigned a 

25 second access address range and a third access address 
range. Further, the second access address range is 
separate from the first access address range and the 
third access address range represents at least a sub- 
range of the first access address range, the router being 

3 0 set up to only route addresses within the same access 
address range. 

[0015] The. invention allows the use of a standard 
routers with the posrsibi] i±y o£ defining addrass* ranges" to 
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be passed and address ranges to be blocked. This can be 
done for example with a conventional filter by defining 
the according ranges of the second and third access 
address ranges, respectively,. As a result, no complex 
5 access lists have to be managed any more, and a moving of 
a service can be handled automatically by adjusting the 
new address range. The invention consists in a mixture of 
shared address ranges and separate address ranges which 
also allows creation of back connections as well as the 
10 use of UDP and IGMP. 

[0016] In one possible embodiment , the network 
addresses to access services in the invention are 
Internet Protocol (IP) addresses, but any other address 
or protocol system can be used in connection with the 
15 invention. 

[0017] The invention also covers a computer program 
with program coding means which are suitable for carrying 
out a process according to' the invention as described 
above when the computer program is run on a computer. The 
20 computer program itself as well as stored on a computer- 
readable medium is claimed. 

[0018] Further features and embodiments of the 
invention will become apparent from the description and 
the accompanying drawings • 

25 [0019] It will be understood that the features 

mentioned above and those described hereinafter can be 
used not only in the combination specified but also in 
other combinations or on their own, without departing 
from the scope of the present invention. 

30 [0020] The invention is schematically illustrated in 

the drawings by means of an embodiment by way of example 
and is hereinafter explained in detail with reference to 
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the drawings • It is understood that the description is in 
no way limiting on the scope of the present invention and 
is merely an illustration o£ a preferred embodiment of 
the invention. 

5 Brief deecaripfcion of the Drawings 

[0021] In the drawings , 

Figure 1 is a prior right network setup with shared 
IP ranges; 

Figure 2 is a prior art network setup with separate 
10 IP ranges using a proxy; 

Figure 3 is a prior art network setup with separate 
IP ranges using network address translation; 

Figure 4 is a block diagram of a network setup with 
separate IP ranges according to the invention; 

15 Figure 5 shows an embodiment of a server network 

segment of a network setup according to the invention. 

Detailed Description 

[0022] The invention is illustrated by means of one 
possible embodiment in which the computer network is a 

20 so-called Corporate LAN or WAN which is depicted as a 
cloud in the schematic block diagram illustration of 
Figure 4, and in which the server network segment is a 
so-called Server LAN which is also depicted as a cloud. 
The access address ranges referred to in the embodiment 

2 5 are IP address ranges. However, it is clear to the person 
skilled in the art of network systems that any other type 
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of network and/ or server arrangement and/ or protocol can 
be used in connection with the invention. 

[0023] Figure 4 shows a network setup according to 
the invention. The network comprises a server LAN 412 and 
5 a corporate LAN or WAN 414. The. server IAN 412 and the 
corporate LAN 414 are connected with each other via a 
router 416. The connection between the corporate LAW 414 
and the server LAN 412 with the router 416 are 
established via Ethernet cards ETHO ; and ETH1 : 
10 respectively. Of course, any other link type, such as 
FDDI , Token Ring, SLIP, PPP etc. may be used. 

[0024] The corporate LAN 414 and the server LAN 412 
have separate IP ranges which is illustrated by the 
indication °IP range lO.x.x.x 1 * underneath the corporate 
15 LAN 414 and the depictions M IP range 192 . 168 .x.x° and "IP 
range 10.10.10.x" underneath the server LAN 412. 

[0025] According to the invention each service on 
the server LAN is assigned an IP address. Every service 
on the server LAN which shall be open for access to the 

20 corporate LAN is assigned an IP address within the 

corporate LAN IP range(s) (e.g. 10.10.10.100). Every 
service which shall only be available internally to the 
server LAN is assigned an IP address within the server 
LAN IP range (e.g. 192.168.10.100). This also applies to 

25 the IP addresses of the respective hardware. 

[0026] As will be understood by a person skilled in 
the art, the corporate LAN 414 may be assigned one or 
several further IP ranges (e.g. 172.x,x.x), and the 
server LAN 412 could also be assigned further IF ranges , 
30 accordingly, which could be sub-ranges to the further IP 
ranges of the corporate LAN (e.g. 172,10.20.x and/or 
172.20.x.x). It becomes apparent that within the scope of 
this invention, any number of access address ranges can 
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be used and mixed on both sides, i.e. network and server, 
with the router defining ranges to be routed (rou table 
ranges) and ranges not to be routed (non-routable 
ranges) • The ranges can have any addresses as long as the 
5 logical relation between routable and non-routable ranges 
is properly defined in the router, 

[0027] The connection between the corporate LAN 414 
and the server LAN 412 is established by the router 416 
which can be a standard router with a package filter. The 

10 filter is implemented in such a manner that the server 
LAN exclusive IP range 192.16B.x.x is blocked and only 
the common or shared range 10, 10 . 10.x is routed. The use 
of filters which are set up in view of the common IP 
range improves the system security- Filter rules 

15 regarding the IP range of the server LAN 412 only have to 
be implemented once for the whole system lifetime. It is 
to be understood that the router setup can also be done 
without filter definitions, for example by means of 
routing tables or routing protocols. 

20 [0028] Referring now to Figure 5, an example of an 

embodiment of the server network segment 412 of the 
network setup of Figure 4 is described in more detail. 
The server LAN 412 comprises three different hardware 
elements, i.e. a first hardware element 420 , a second 

25 hardware element 422 and a third hardware element 424. 
Operating systems, monitoring agents and secure shell 
daemons run on each of these hardware elements 420, 422, 
424, 

[0029] On the first hardware element 420, three 
30 application servers run. It is to be understood that the 
term 11 server 0 does not stand for a hardware element but 
rather for a service. 
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[0030] The second hardware element 422 comprises a 
database server as well as a fourth application server 
which has to access the database server. A global system 
monitor is installed on the .third hardware element 424, 
5 which system monitor is fed with data from the monitoring 
agents. 

[0031] The three application servers of the first 
hardware element 420 and the one application server of 
the second hardware element 422 have routable IP 

10 addresses 10.10.10.3, 10.10.10.4, 10.10.10.5 and 

10.10.10.6, and can thus be accessed from the "exterior", 
i.e. from outside the server hZN 412. The database server 
on the second hardware element 422 is only of interest to 
the application servers as it never has to be accessed by 

15 outside clients directly. Therefore, the database server 
is assigned an internal, i.e. non-routable address 
192.168.100.2. 

[0032] The monitoring agents only communicate with 
the system monitor server of the third hardware element 
20 424 and thus have internal addresses 192.168.20.3, 

192.168.20.4 and 192 . 16B . 20 . 5 . The purpose of the system 
monitor is to make bundled information of the monitoring 
agents available to the clients. Thus, the system monitor 
is assigned an external routable address 10.10.10.2. 

25 [0033] The secure shell daemons on the first and 

second hardware elements shall only be accessible 
internally for security reasons and thus are assigned 
non-routable addresses. However, the secure shell daemon 
of the third hardware element shall be accessible for 

30 clients, too, and thus has routable address 10. 10. 10.1. A 
log-in to the secure shell daemon of the third hardware 
element allows for a connection with the secure shell 
daemons of the first and second hardware elements. 
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[0034] According to the invention, the identical IP 
range of the server LAN can be used in any number of 
parallel server LANs, a multi-use of an IP range becomes 
possible and an IP address space is saved- In case of 
5 physical movings of the network system or part of the 
network system, only the IP addresses of the services 
have to be changed and the filters have to be adapted as 
to the new IP addresses which is a trivial matter and can 
be handled automatically. The invention provides for a 

10 novel and inventive method which does not require a 

conversion or translation of protocols but which rather 
works on the basis of routing definitions. Obviously, the 
invention is not limited to the use of only one access 
address range assigned to the computer network or 

15 corporate LAN as it also covers a computer network which 
is assigned two or even more different ranges of access 
addresses - 
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5 CLAIMS 

1. A computer network system comprising: 
a plurality of client hardware elements forming a 
computer network (414); 
l0 a server network segment (412); and 

a router (416) for interconnecting the computer network 
(414) with the server network segment (412) ; 

the computer network. (414) being assigned at least one 
first access address range, and the server network segment 
is (412) being assigned at least one second access address 
range and at least one third access address range, wherein 
the at least one second access address range is separate 
from the at least one first access address range and the at 
least one third access address range represents at least a 
20 sub-range of the at least one first access address range, 
and wherein the router (416) is set up to only route 
addresses within the same access address range. 

2. A computer network system according to claim 1, 
25 wherein the access address ranges are Internet Protocol 

address ranges. 

3. A computer network system according to claim 1 or 
2, wherein the server network segment is a LAN server 

30 (412). 

4. A computer network system according to any one of 
claims 1 to 3, wherein the computer network is a Local Area 
Network LAN or a Wide Area Network WAN. 

35 
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5. A computer network system according to any one of 
claims 1 to 4, wherein the router comprises a filter set up 
to block addresses from the second access address range and 
to let pass addresses from the third access address range, 

5 

6. A router (416) for interconnecting a server 
network segment (412) with a computer network (414), the 
computer network (414) being assigned at least one first 
access address range, and the server network segment (412) 

10 being assigned at least one second access address range and 
git least one third access address range, wherein the at 
least one second access address range is separate from the 
at least one first access address range and the at least 
one third access address range represents at least a sub- 

15 range of the at least one first access address range, and 
wherein the router (416) is set up to only route addresses 
within the same access address range. 

7 # a router (416) for interconnecting a server 
20 network segment (412) with a computer network (414) , the 
computer network (414) being assigned at least one first 
access address range, and the server network segment (412) 
being assigned at least one second access address range of 
non-routable access addresses and at least one third access 
25 address range of routable access addresses, wherein the 
router (416) is set up to only route routable access 
addresses and to block non-routable addresses. 

8. A router according to claim 6 or 7, the access 
30 address ranges are Internet Protocol address ranges. 

9. A router according to claim 6 or 8, the router 
comprising a filter which is set up to block addresses from 
the second access address range and to let pass addresses 

35 from- the. third access address range-. 
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10. A network setup method comprising the steps of: 
assigning one or more first access address range(s) to 

a computer network (414) ; 
- 5 assigning one or more second access address range (s) to 

a server network segment (412). the second access address 

range (s) being separate from the first access address 

range (s) ; 

assigning one or more third access address range (s) to 
io the server network segment (412), the third access address 
range (s) representing at least a sub-range of the first 
.access address range (s) ? 

setting up a router (416) for interconnection of the 
computer network (414) with the server network segment 
15 (412) in such a manner that the router (416) only routes 
addresses within the same access address range. 

11. A method according to claim 10, wherein the 
access address ranges are Internet Protocol address ranges. 

20 

12. A method according to claim 10 or 11, wherein the 
server network segment is a LAN server (412) . 

13 . A method according to any one of claims 10 to 12 , 
25 wherein the computer network is a Local Area Network LAN or 

a Wide Area Network WAN. 

14. A method according to claim 12, further 
comprising the step of setting up a filter in the router in 

30 such a manner that the filter blocks addresses from the 
second access address range (s) and passes addresses from 
the third access address range (s) . 

15. A computer program product with a computer- 
35 readable medium and a computer program stored on the 
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computer-readable medium with program coding means which 
are suitable for carrying out a method according to any one 
of claims 10 to 14when the computer program is run on a 
computer. 

16. A computer program with program coding means 
which are suitable for carrying out a method according to 
any one of claims 10 to 14 when the computer program is run 
on a computer. 



17. a computer-readable medium with a computer 
program stored thereon, the computer program comprising 
program coding means which are suitable for carrying out a 
method according to any one of claims 10 to 14 when the 
is computer program is run on a computer. 
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